Introduction to Network Security Security Chapter 7 Transport - - PDF document

Introduction to Network Security Security

Chapter 7 Transport Layer Protocols

1

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Topics

• TCP Layer

– Responsible for reliable end-to-end transfer of application data. transfer of application data.

• TCP vulnerabilities
• UDP
• UDP vulnerabilities
• DNS

2

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Services

Multiplexing:

• A process within a host using TCP service is
• A process within a host using TCP service is

identified with a port. A port, when concatenated with an internet address, forms a Socket, which is unique throughout the

• internet. Service provided by TCP is provided

by means of a logical connection between a pair of sockets.

3

• Dr. Doug Jacobson - Introduction to

Network Security - 2009 Application 1 Application 2 Application 3 Application N Source Port 1 Source Port 2 Source Port 3 Source Port N Other

Multiplexing service

Figure 7.1 TCP Multiplexing TCP Layer IP Layer Protocol type = 17 (TCP) Transport Protocols 4

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP port numbers

5 RJE 68 Bootstrap Protocol Client 7 echo 69 Trivial FTP 9 Discard 75 any private dialout service 11 Active Users 77 any Private RJE service 13 daytime 79 FINGER 15 Who is up 101 NIC host name server 17 Quote of the day 102 ISO-TSAP 17 Quote of the day 102 ISO-TSAP 19 Character Generator 103 X.400 20 FTP (default data) 104 X.400-SND 21 FTP (control) 105 CSnet Name server 23 TELNET 109 Post Office Protocol Ver 2 25 SMTP 113 Authentication Service 37 Time 115 Simple FTP 42 Host name service 119 NNTP 53 Domain name server 123 NTP 67 BOOTP 161 SNMP agent 162 SNMP management station

5

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Connection Management

Consists of three services:

• Connection Establishment: Allow two TCP users to

setup a logical connection between their respective

• sockets. A connection may be setup if:
• No connection between the two sockets currently
• exists. From a given socket, it is possible to

simultaneously maintain more than one connection, but only one connection to any specific remote socket at a time is permitted.

– Internal TCP resources are sufficient. – Both users have agreed to the connection.

6

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Connection Management

• Connection Maintenance service provides for

the exchange of data between the two sockets and supports the data transport (described in the next slide). (described in the next slide).

• Connection Termination may be either abrupt
• r graceful. With abrupt termination, data in

transit may be lost. A graceful termination prevents either side from shutting down until all data have been received.

7

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Data Transport

• Full Duplex: Both users may transmit at once.
• Timely: The user may request timely delivery of data by

associating a timeout with data submitted for transmission. If TCP detects a timeout the connection is abruptly terminated. TCP detects a timeout the connection is abruptly terminated.

• Ordered: TCP is stream oriented. TCP guaranteed that the

stream of data presented by one user to TCP will be delivered in the same order to the destination user.

• Labeled: TCP establishes a connection only if the security

designation provided by both users match.

• Flow Control: Used to prevent internal TCP congestion
• Error Control: TCP uses a simple checksum.

8

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP

• Stream Orientation - When two application

processes transfer large volumes of data, we can think of the as a stream of bits divided into 8-bit bytes The stream service on the destination passes the same sequence of octets to the receiver that the the same sequence of octets to the receiver that the sender passed to the source machine. Data are not treated as packets but as a stream of data that is passed to the transport entity. The transport entity will divide the data into packets for transmission to the destination. The destination transport entity will pass the data to the user as a stream.

9

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Stream

10

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Special Capabilities

TCP supports two special capabilities associated with the transfer of data

• Data Stream Push: Used to force the delivery of all

data waiting to be sent. data waiting to be sent.

• Urgent Data Signaling: Provides a means of

informing the destination TCP user that urgent data is in the incoming data stream.

11

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Error Reporting

• TCP will report service failure stemming

from catastrophic conditions

12

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Services

• Unspecified Passive open
• Fully Specified Passive Open
• Active Open
• Active Open with data
• Send
• Deliver
• Allocate
• Close
• Abort
• Terminate
• Error

13

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Protocol

Connection Establishment:

• TCP uses a three handshake for
• TCP uses a three handshake for

connection establishment. We will see TCP defines only one packet format that contains flags to indicate what type of packet it is. The connection packets have the SYN flag set.

14

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Server Client

SYN - ISN = 3000 SYN+ACK - ISN = 4000, ACK = 3001

TCP 3-way Handshake

Figure 7.3 TCP Connection Establishment

SYN+ACK ISN = 4000, ACK = 3001 ACK - SSN = 3001, ACK = 4001

15

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Protocol

Data Transfer:

• Sequence numbers are used for data
• Sequence numbers are used for data
• transfer. The sequence numbers

represent the number of bytes not the number of packets. Flow control is handled by using a credit allocation scheme as describe earlier.

16

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Data Transfer

17

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TCP Connection Termination

Connection Termination:

• The connection is terminated by

sending a packet with the FIN flag set. sending a packet with the FIN flag set. This packet contains the number of the last packet sent.

18

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Server Client

FIN - SN = A , ACK = B FIN+ACK - SN = B, ACK = A+1

TCP Connection termination

Figure 7.5 TCP Graceful Termination

ACK - SN = A, ACK = B+1

19

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Source Port Destination Port Sequence Number Acknowledgement Number Hdr-Len Reserved Flags Window Size Checksum Urgent Pointer Options Flags

TCP Header Format

Figure 7.6 TCP Header Format URG ACK PSH RST SYN FIN Flag Function URG Packet contains urgent data ACK Acknowledgment number is valid PSH Data should be pushed to the application RST Reset Packet SYN Synchronize packet FIN Finish packet

20

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Header Based

• There have been several attacks using

invalid flag combinations.

• Most have been fixed, however this is

now used to help determine the type of now used to help determine the type of

• perating system

– Probing attacks

• Invalid header responses
• Initial values

– sequence numbers – Window size

21

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Protocol Based

• Syn flood
• Reset Packets
• Session Hijacking
• Session Hijacking

22

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

SYN Flood

Attacker A2 Attacker A3 Attacker A1 Victim Internet Attacker A3 Attacker A4 Attacker A5 Valid User

23

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

SYN Flood

24

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Reset Shutdown

25

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Session Hijacking

Victim Attacker Server Internet Network where the attacker can see the traffic between the Victim and the Server Router

26

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Session Hijacking

Attacker Server Victim SYN SYN + ACK ACK DATA RST DATA DATA DATA + ACK DATA + ACK DATA + ACK 27

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Passive Network Filter

User Filter Server Internet Network where the filter can see the traffic between the user and the server Router

28

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Passive Network Filter

29

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Mitigation

• Encryption can fix Session hijacking
• Reset is harder
• Syn flood is hard
• Syn flood is hard

30

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Authentication Based

• No authentication in TCP
• Ports might be considered an

authentication of the application

31

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Traffic Based

• Flooding (using all of the TCP resources)
• QOS
• Sniffing

32

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

User Datagram Protocol

• Designed to allow connectionless

protocols

• Typical applications will send one
• Typical applications will send one

packet and wait for a single response.

Source Port Destination Port UDP Total Length Checksum

33

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

UDP Attacks

• Header & Protocol: None since there is no

protocol and very simple header

• Authentication: same as TCP
• Traffic: typically not a problem. Sniffing is a
• Traffic: typically not a problem. Sniffing is a

potential problem, but most UDP protocols don’t try to hide data. Flooding is hard with UDP.

• Mitigation: Most organizations block all

UDP except port 53 (DNS)

34

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Domain Name Service

• Designed to give organizations a way of

controlling their name space

• Distributed control over computer name
• Distributed control over computer name

to IP address mapping

• DNS normally uses UDP and port 53

– If the answer is bigger than 512 bytes, can use TCP

35

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Domain Names

• Tree Structure - max 128 levels, root = level 0
• Domain name: www.iastate.edu

– Each name between the dots is called a label – Label <= 63 characters – Label <= 63 characters

• Fully qualified domain name: www.iastate.edu.

– Adds “.” at the end

• Partially qualified domain name

– Supported by the client – The leftmost part of a domain name – E.g., www. Gets filled in to www.iastate.edu by the client

36

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Name Space

37

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Server Types

• Server Types

– Root Server – Primary Server – Primary Server – Secondary Server

• Can only push data from Primary to

Secondary (not Secondary to Primary)

38

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Queries

• DNS Queries

– Name to Address – Address to Name – Address to Name

• Resolver: Client code that queries DNS

using two lookup methods:

– Recursive – Iterative

39

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Reverse Query

• IP to Name
• 129.186.5.100 – what is its name
• Query is made to:
• Query is made to:

– 100.5.186.129.in-addr.arpa.

• This way it can be parsed just like a

name

– 129 then 186 then 5 then 100

40

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Reverse Lookups

• IP to Name

conversion

• Not all IP

Root Server arpa in-addr

• Not all IP

addresses will resolve to a name

Figure 7.13 DNS Reverse Name Hierarchy in-addr 129 186 5 103 103.5.186.129.in-addr.arpa..

41

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS System

resolver resolver DNS Server Application Next Level Server IP Figure 7.14 DNS System cache resolver cache config Application cache Application IP Address

• f DNS

Server IP Address

• f DNS

Server Device with resolver only Device with DNS server 42

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Recursive Query Method

8 7 3

4 10 9

6

1 2

5 43

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Iterative Query Method

Root Server

First Level Server First Level Server

DNS

Figure 7.16 DNS Iterative Mode

DNS

2 4 6 8 10 What is the IP address of vulcan.dougj.net dougj.net IP address of vulcan.dougj.net Access web server: vulcan.dougj.net 5 7 9 3 1 Ask this server 44

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Responses

• If the answer comes back from any

DNS server that has the answer cached it is called unauthoritative it is called unauthoritative

• To handle the stale cache issue there is

a time to live for each response.

45

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Uses Two Messages

• Query := two fields

– header | question

• Response := five fields
• Response := five fields

– header | question | answer | authoritative | additional

46

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Packet Format

47

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Packet Format

48

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Message Header

• Header = 12 bytes

– Id = 2 bytes – Flags = 2 bytes (see next slide) – Flags = 2 bytes (see next slide) – # of questions = 2 bytes – # of answers = 2 bytes (0 in query) – # of authoritative answers = 2 bytes (0 in query) – # of additional answers = 2 bytes (0 in query)

49

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Flags Field

• 1 bit – Q/R 0=query, 1= response
• 4 bits – opcode

– 0 = standard – 1 = inverse – 1 = inverse – 2 = server status request

• 1 bit AA – 1 = Authoritative answer
• 1 bit TC – 1 = answer > 512 bytes
• 1 bit RA – 1 = recursion available
• 3 bits of zero
• 4 bits – response code ( see next slide)

50

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Response codes

• 0 No Error
• 1 format error
• 2 problem at name server
• 2 problem at name server
• 3 domain reference problem
• 4 query type not supported
• 5 administratively prohibited

51

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Question section

• Variable length – Query name
• 16 bits – query type
• 16 bits – query class
• 16 bits – query class

52

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Query Name

• 6vulcan2ee7iastate3edu0
• Numbers are the count fields, they are

in binary in binary

• The count fields are only 6 bits to tell

the difference between a count value and a offset pointer used for compression

53

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Types

• 1- A – Address
• 2 – NS – Name server
• 5 – CNAME – Alias
• 6 – SOA – Start of Authority
• 11 – WKS – Well known services
• 12 – PTR – IP to name conversion
• 13 – HINFO – Host info
• 15 – MX – Mail exchange
• 28 – AAAA – IPV6 address
• 252 – AXFR – Request a zones transfer
• 255 – ANY – Request all records

54

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS Resource Record

• Domain name – Variable length (pointer

to the name in the query section

• Domain type (16 bits) same as query
• Domain type (16 bits) same as query
• Domain class (16 bits) same as query
• Time to Live (32 bits) number of

seconds, 0 = don’t cache

• Resource data length (16 bits)
• Resource data (variable length)

55

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Resource data

• Number (4 bytes – V4)
• Domain name (variable length)
• Offset pointer (upper two bits of first
• Offset pointer (upper two bits of first

byte = 11

• Char string – 1 byte length followed by

characters

56

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Compression

• 11 [address of the beginning byte]
• 12 is the first byte of the question

section section

57

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Header & Protocol attacks

• Header

– Not many attacks, bad headers are rejected. rejected. – Can be used to leak data through a firewall

• Protocol

– Simple protocol – Can use the DNS port number to communicate through a firewall

58

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Authentication

• Bad DNS Entries

– Break in DNS server – Rouge DNS server – Rouge DNS server – DNS cache poisoning – Bogus DNS replies

• Scope of Damage

59

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Root Server Root Server

DNS attack damage scope

ISP.net

abc.com

xyz.com Figure 7.18 DNS Attack Damage Scope

First Level Server

DNS

Zone 1 Zone 2 Zone 3 User 1

60

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Traffic

• DNS server flooding can cause delayed

to dropped responses. DNS client will try 4 times so they often will get an try 4 times so they often will get an answer

• Sniffing is not a problem

61

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

DNS

• DNSSEC is a new protocol and server

that offers authenticated DNS with certificates. certificates.

– Not widely adopted

• DNS is a major weak point in the
• Internet. Taking down the DNS system

can take down the entire Internet.

62

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Application Application Application TLS TLS

Transport Layer Security

Figure 7.19 TLS Stack TCP IP NET

63

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

TLS Protocol

64

• Dr. Doug Jacobson - Introduction to

Network Security - 2009